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COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS 
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1. License grant. Nortel Networks NA Inc. (“Nortel Networks”) grants the end user of the Software (“Licensee”) a 
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Software or user manuals, in whole or in part. The Software and user manuals embody Nortel Networks’ and its 
licensors’ confidential and proprietary intellectual property. Licensee shall not sublicense, assign, or otherwise disclose 
to any third party the Software, or any information about the operation, design, performance, or implementation of the 
Software and user manuals that is confidential to Nortel Networks and its licensors; however. Licensee may grant 
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agreed to use the Software only in accordance with the terms of this license. 
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remedy Nortel Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be 
included in a future Software release. Nortel Networks further warrants to Licensee that the media on which the 
Software is provided will be free from defects in materials and workmanship under normal use for a period of 90 days 
from the date Software is first shipped to Licensee. Nortel Networks will replace defective media at no charge if it is 
returned to Nortel Networks during the warranty period along with proof of the date of shipment. This warranty does not 
apply if the media has been damaged as a result of accident, misuse, or abuse. The Licensee assumes all responsibility 
for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained 
from the Software. Nortel Networks does not warrant a) that the functions contained in the software will meet the 
Licensee’s requirements, b) that the Software will operate in the hardware or software combinations that the Licensee 
may select, 

c) that the operation of the Software will be uninterrupted or error free, or d) that all defects in the operation of the 
Software will be corrected. Nortel Networks is not obligated to remedy any Software defect that cannot be reproduced 
with the latest Software release. These warranties do not apply to the Software if it has been (i) altered, except by Nortel 
Networks or in accordance with its instructions; (ii) used in conjunction with another vendor’s product, resulting in the 
defect; or (iii) damaged by improper environment, abuse, misuse, accident, or negligence. THE FOREGOING 
WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND AReIn LIEU OF ALL OTHER 
WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF 
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of its 
own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered 
files, data, or programs. 
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4. Limitation of liability. IN NO EVENT WILL NORTEL NETWORKS OR ITS LICENSORS BE LIABLE FOR 
ANY COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL 
DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR 
PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN IF 
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Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or 
disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial 
Computer Software—Restricted Rights clause of FAR 52.227-19 and the limitations set out in this license for civilian 
agencies, and subparagraph (c)(l)(ii) of the Rights in Technical Data and Computer Software clause of DFARS 
252.227-7013, for agencies of the Department of Defense or their successors, whichever is applicable. 
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European Community. If Licensee uses the Software within a country in the European Community, the Software 
Directive enacted by the Council of European Communities Directive dated 14 May, 1991, will apply to the examination 
of the Software to facilitate interoperability. Licensee agrees to notify Nortel Networks of any such intended 
examination of the Software and may procure support and assistance from Nortel Networks. 

7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to 
Nortel Networks" copyright in the Software and user manuals will cease being effective at the date of expiration of the 
Nortel Networks copyright; those restrictions relating to use and disclosure of Nortel Networks" confidential information 
shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if 
Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason, Licensee 
will immediately destroy or return to Nortel Networks the Software, user manuals, and all copies. Nortel Networks is not 
liable to Licensee for damages in any form solely by reason of the termination of this license. 

8. Export and re-export. Licensee agrees not to export, directly or indirectly, the Software or related technical data or 
information without first obtaining any required export licenses or other governmental approvals. Without limiting the 
foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first obtaining all 
export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert any such 
Software or technical data, or any direct product thereof, to any country to which such exports or re-exports are restricted 
or embargoed under United States export control laws and regulations, or to any national or resident of such restricted or 
embargoed countries; or (ii) provide the Software or related technical data or information to any military end user or for 
any military end use, including the design, development, or production of any chemical, nuclear, or biological weapons. 

9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent 
jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement will 
be governed by the laws of the state of California. 

Should you have any questions concerning this Agreement, contact Nortel Networks, 4401 Great America Parkway, 
P.O. Box 58185, Santa Clara, California 95054-8185. 

LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND 
AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS 
AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN NORTEL NETWORKS AND 
LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND 
COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS 
AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST NORTEL 
NETWORKS UNLESS NORTEL NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN 
EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT. 
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Preface 


This guide introduces you to the Nortel Networks™ Contivity® Stateful Firewall. 
Topics include: 

• Firewall concepts 

• Configuring the firewall 

• Monitoring the firewall 

• Firewall command line interface 

Complete details for configuring and monitoring the Contivity VPN Switch arc in 
Configuring the Contivity VPN Switch and the Reference for the Contivity VPN 
Switch. 


Before you begin 

This guide is intended for network managers who arc responsible for setting up 
the software for the Contivity VPN Switch and the Contivity Stateful Firewall. 
This guide assumes that you have the following background: 

• Experience with windowing systems or graphical user interfaces (GUIs) 

• Familiarity with the network management 


Managing the Contivity Stateful Firewall 



14 Preface 


Text conventions 

This guide uses the following text conventions: 


braces ({}) 


brackets ([ ]) 


italic text 


plain Courier 
text 


Indicate required elements in syntax descriptions where 
there is more than one option. You must choose only 
one of the options. Do not type the braces when 
entering the command. 

Example: If the command syntax is 

show ip {alerts | routes }, you must enter either 

show ip alerts or show ip routes, 

but not both. 

Indicate optional elements in syntax descriptions. Do 
not type the brackets when entering the command. 

Example: If the command syntax is 

show ip interfaces [-alerts] , you can enter 
either show ip interfaces or 
show ip interfaces -alerts. 

Indicates file and directory names, new terms, book 
titles, Web addresses, and variables in command syntax 
descriptions. Where a variable is two or more words, 
the words arc connected by an underscore. 

Example: If the command syntax is 

show at <valid_route>, valid_route is one 

variable and you substitute one value for it. 

Indicates command syntax and system output, for 
example, prompts and system messages. 

Example: Set Trap Monitor Filters 
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arrow (->) 


vertical line ( I) 


Shows menu paths. 

Example: Protocols-TP identifies the IP option on the 
Protocols menu. 

Separates choices for command keywords and 
arguments. Enter only one of the choices. Do not type 
the vertical line when entering the command. 

Example: If the command syntax is 

show ip {alerts | routes }, you enter either 
show ip alerts or show ip routes, but not both. 


Related publications 

For more information about using the Contivity Stateful Firewall, refer to the 

following publications: 

• Release notes provide the latest information, including known problems, 
workarounds, and special considerations. 

• Configuring the Contivity VPN Switch provides complete details on 
configuring, monitoring, and troubleshooting your switch. 

• Reference for the Contivity VPN Switch provides details on the Contivity VPN 
switch user interface screens. 


Hard-copy technical manuals 

You can print selected technical manuals and release notes free, directly from the 
Internet. Go to the support.baynetworks.com/library/tpubs/Web address. Find the 
product for which you need documentation. Then locate the specific category and 
model or version for your hardware or software product. Use Adobe Acrobat 
Reader to open the manuals and release notes, search for the sections you need, 
and print them on most standard printers. Go to the Adobe Systems Web address 
at www.adobe.com to download a free copy of Acrobat Reader. 

You can purchase selected documentation sets, CDs, and technical publications 
though the Internet at the wwwl.fatbrain.com/documentatiori/norteUWQb address. 
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How to get help 

If you purchased a service contract for your Nortel Networks product from a 
distributor or authorized reseller, contact the technical support staff for that 
distributor or reseller for assistance. 

If you purchased a Nortel Networks service program, contact one of the following 
Nortel Networks Technical Solutions Centers: 


Technical Solutions Center 

Telephone 

Billerica, MA 

800-2LANWAN or (800) 252-6926 

Santa Clara, CA 

800-2LANWAN or (800) 252-6926 

Valbonne, France 

(33) (4) 92-96-69-68 

Sydney, Australia 

(61) (2) 9927-8800 

Tokyo, Japan 

(8) (3) 5740-1700 


312538-A Rev 01 




17 


Chapter 1 

Introducing the Firewall 


This chapter introduces the Contivity Stateful Firewall and provides an overview 
of the firewall components. 


Firewall concepts 

The Contivity Stateful Firewall provides a secure access point between an internal 
network and an external network, such as the Internet. The firewall allows you to 
protect your network and the information on it from unauthorized intrusion from 
external networks. The firewall provides a line of defense to allow acceptable 
traffic, as defined by your organization, and to drop all unacceptable traffic before 
it enters or leaves the network. It monitors packets and sessions to make decisions 
based on established rules to determine the appropriate actions to take. 

By using stateful inspection, the Contivity Stateful Firewall provides a high level 
of security, the fastest runtime, and the flexibility to define the rules to fit your 
environment. The firewall delivers full firewall capabilities, assuring the highest 
level of network security. To do this, the firewall examines both incoming and 
outgoing packets running against a common security policy. All service rules arc 
interpreted on IP conversations (not packets) and arc fully stateful. Service rules 
do not filter packets directly, but the firewall services determine how to process 
them based on the security policy defined. The firewall provides a user interface 
to help you determine the appropriate rules for your network. 

The Contivity Stateful Firewall achieves optimum performance as a result of 
advanced memory management techniques and optimized packet inspection. 

In addition, you can configure the firewall to log some or all significant events. 
This includes all connections over the network, such as all e-mail transactions, 
firewall status changes, and system failures. You can use the logged information 
to help enhance network security or track unauthorized use. 
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Component descriptions 

The following sections provide brief descriptions of the various components of 
the firewall. 

Stateful inspection 

Some protocols arc difficult to allow through a firewall securely using traditional 
filtering mechanisms. In FTP, for example, where the control connection is 
typically created using a known port, but the data connection is over a random 
port. To allow an FTP data connection through a firewall without leaving a large 
number of open ports requires stateful inspection: packets arc inspected at the 
application layer to determine which port the data connection is using. Traffic on 
that port can then be allowed to pass through the firewall for the duration of the 
FTP session. 

Transport-level state inspection provides a number of ways to make TCP traffic 
more secure and more difficult for hackers to intercept. Stateful inspection of TCP 
consists of verifying the consistency of the TCP header as well as preventing 
some well-known TCP attacks. TCP sequence numbers arc randomized to prevent 
sequence number guessing. 

Stateful inspection of an application is unique for each application. Any 
non-predicted ports used by an application are validated and allowed through the 
firewall using stateful inspection. The following applications are inspected: 

• FTP 

. tftp 

• RCMD 

• SQLNET 

• VDOLive 

• RealAudio 
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A conversation is created for all unique end-to-end communication. For instance, 
an FTP session between a client and a server can consist of several streams of 
traffic, with both data and control packets flowing back and forth. All of this 
traffic is contained in the same conversation. Since the Contivity Stateful Firewall 
also supports tunneled traff ic, each unique tunnel (end user or branch office) 
would be identified by its own conversation. 

Interfaces 

The Contivity VPN Switch has many interfaces. Each tunnel (end user or branch 
office) is a virtual interface, and all switches have two or more physical interfaces. 
Packets can be classified by the interface on which they arrive at the switch (the 
source interface) or the interface on which they leave the switch (the destination 
interface). 

The rules in a policy can be constructed to either use or ignore this classification. 
If the rule designates “Any” as an interface, the rule ignores this classification. If 
the rule designates any other name as the interface, the rule uses this 
classification. 

The rules in any policy can use the following terms to designate an interface: 

• Any - Any physical interface or tunnel. 

• Trusted - Any private physical interface or tunnel. 

• Untrusted - Any public physical interface. 

• TunnePAny - Any tunnel, excluding any physical interfaces. 

• For tunnels that are also interfaces, you can specify either a group name for 
user tunnels or the specific branch office tunnel for branch office tunnels. 

• Tunnel:/base - For tunnels that arc also interfaces, you can specify the 
specific branch office tunnel. For example, /base/mktng/tony refers to branch 
office tony in group /base/mktng. 

• TunnePuser - For tunnels that are also interfaces, you can specify a group 
name for user tunnels. For example, /base/engineering refers to all user 
tunnels in that group. 

• Interface name - The value of the Description field assigned to the physical 
interface on the System->LAN (or SystenWWAN) screen. If the description is 
blank, the interface name defaults to the value of the Interface field on the 
same screen. 
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Any physical interface can be marked as “Private” or “Public” on the 
System->LAN->Configure screen. By default, the LAN interface (Slot 0) is 
“Private” and all other interfaces are “Public.” 

Filter rules 

Filtering uses a set of rules to determine whether a packet should be allowed 
through the firewall. Typical options arc either accept or drop the packet, which 
provides a degree of security for a network. The rules determine one of the 
following actions: 

• Accept the packet 

• Drop the packet 

• Reject the packet by sending a reject to the source address 

• Log the packet locally, which is a modifier for the previous three actions 

For further explanation of the rules and how they are applied, see “Navigating 
rules” in Chapter 2. 


NAT 


Network Address Translation (NAT) is the translation of one network IP address 
that is used within a LAN to a different IP address that is used outside the LAN. 
This feature allows a system to be identified by one address on its own network, 
yet be identified by a totally different address to systems on a different network. 

NAT helps you avoid any issues with diminishing IP address space by allowing 
multiple systems on the same network to share the same IP address. It also 
provides additional security by minimizing the number of private network 
addresses that arc visible to the public network. For tunneled traffic, it allows 
multiple intranets with conflicting subnets to communicate. For physical traffic, it 
provides support for dynamic as well as static NAT. 

Applying NAT to traffic patterns is independent of whether the source or 
destination of the packet is private or public. The following traffic patterns arc 
equivalent: 

• Private to private 
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• Private to public 

• Public to private 

• Public to public 

Anti-spoofing 

Anti-spoofing is a method used to prevent a packet from forging its source IP 
address. Typically, the source address of each packet is examined and validated. 
Anti-spoofing performs the following checks: 

• That the source address is not equal to the destination address 

• That the source address is not equal to zero 

Attack detection rules 

When a common attack is launched against corporate networks, the firewall 
should be able to detect these attacks. It should also drop any packets resulting 
from the attack, preventing denial-of-service as well as non-authorized intruders. 
The Contivity Stateful Firewall provides defense against well-known Denial of 
Service attacks with well-known prevention methods. 


Firewall options 

You can select one of the following firewall options: 

• Contivity Firewall 

• Check Point Fire Wall-1 

• No Firewall 

The Contivity Firewall consists of the Contivity Stateful Firewall, Contivity 
Interface Filter, Contivity Tunnel Filter, Interface NAT, and anti-spoofing. (In 
previous releases, the Contivity Interface Filter was called the Contivity Firewall.) 
You can enable or disable each of these separately. Flowever, you must enable 
either the Contivity Stateful Firewall or Contivity Interface Filter. 
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The Check Point Firewall-1 requires that you have Check Point Fire Wall-1 
Management Console Software and the appropriate license. For further 
information, see Installing Check Point FireWall-1 on the Contivity Extranet 
Switch. 

The No Firewall option disables all firewall features on the switch. In this 
configuration, the switch performs VPN routing only. 
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Chapter 2 

Configuring the Firewall 


This chapter describes the steps for setting up your firewall. The process consists 
of the following: 

• Firewall software installation process 

• Firewall configuration tasks on the Contivity VPN Switch 

• Configuration tasks on the firewall 

• Steps you can use to verify that your firewall is working properly 

The procedures assume that you have already configured your Contivity VPN 
Switch (except for the firewall component) and that you have obtained the 
required firewall license. To configure the switch, see Configuring the Contivity 
VPN Switch. 


Licensing 

The Admin—>Install keys menu item is used to install a licensing key that enables 
optional software functionality. In order to enable features, a license key must first 
be installed. 

To install a software license key: 

1 Go to the Admin-Tnstall Keys screen. 

2 Type the key that you obtained from Nortel Networks Customer Support in 
the box to the right of Firewall. 

3 Click on the Install button. 

After a valid key is installed, the label “Key Installed” is displayed. It is only 
necessary to install a key once on each switch. 
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You must remove the firewall license key if you arc downgrading the switch to a 
release earlier than Version 3.5. Click on the Remove button to remove the key. A 
confirmation message appeal's and when you click on Yes, the key is removed. 


Prerequisites 

Before you start setting up your firewall, be sure you have the management IP 

address of your switch. This address is found on the switch’s System—^Identity 

screen. You may also need the following information: 

• The name of the firewall, which is the name that is used by the Domain Name 
Service (DNS) server to identify the management address of the switch. This 
name is entered in the DNS Host Name field of the switch's System—identity 
screen. 

• The names and IP addresses of your switch’s interfaces. These arc found on 
the switch's Status—^Statistics: Interfaces screen. 

System requirements necessary to access the Contivity Stateful Firewall Manager 

include: 

• Supported operating systems and platforms include Solaris (OS 2.6, 7, or 8) 
on a x86 or SPARC platform and Microsoft® Windows 95, 98, 2000, or 
Windows NT 4. 

• Required software includes Java 2 Plug-in VI.3.0, available in the Java 2 
Runtime Environment VI.3.0. The J2RE is available for automatic download 
on a Windows platform from the switch (refer to the Java 2 Runtime 
Environment Installation). J2RE installation files for Windows and Solaris arc 
also available on the Nortel Networks CD in the tools/java directory. 

• Supported browsers include Internet Explorer 4 and higher and Netscape 
Navigator/Communicator 4 and higher. Netscape 6 currently comes with a 
version of the Java 2 Plug-in that is not supported. If you wish to use Netscape 
6, please refer to the Netscape section of the Java 2 Runtime Environment 
Installation. 
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Installing Java 2 software 

To access the Contivity Stateful Firewall Manager, the computer used to 
administer you switch must have the Java 2 Runtime Environment installed. 
There are two separate procedures that you can use to install the Java 2 software, 
depending on whether you use Internet Explorer or Netscape Navigator to access 
the switch. 

Using Internet Explorer 

To install the Java 2 software on Windows 9x, Windows 2000, or Windows NT 
from Internet Explorer: 

1 Connect to the management IP address of the switch and log in. 

2 Go to the Services—>Firewall screen. 

3 Click on the Manage Policies button. A popup window appears and tries to 
load the Contivity Stateful Firewall Manager. 

4 When the Security Warning dialog box appears, click on Yes to install the 
Java 2 Runtime Environment. 
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The installation program will begin to download the software from the switch. 
This may take several minutes to load, depending on the speed of your 
connection to the switch. 

5 When the installation program displays the Software Licensing Agreement, 
click on Yes to accept the agreement. 

6 When the installation program asks for an installation location, accept the 
default location or choose an alternate installation location. 

7 Click on Next > to finish the installation. 

8 When the installation is complete, close all open Web browsers. 

9 Reboot the computer for the changes to take effect. 

Using Netscape 

To install the Java 2 software on Windows 9x, Windows 2000, or Windows NT 

from Netscape Navigator: 

1 Connect to the management IP address of the switch and log in. 

2 Navigate to the Services—>Firewall screen. 

3 Click on the Manage Policies button. A popup window appears and tries to 
load the Contivity Stateful Firewall Manager. The Plug-in Not Loaded dialog 
box appears. (If this dialog does not appear, click on the long white or gray 
box that appears on the browser popup window.) 
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4 Click on the Get the Plug-in button to download the Java 2 Runtime 
Environment. The Java Plugin Download screen appears. 



5 Click on the Download now link next to the Windows version of the Java 
Runtime Environment. 

6 When the browser prompts you for a location to save the file, choose a 
download location and click on OK to continue. (This may take several 
minutes to load, depending on the speed of your connection to the switch.) 

7 When the download finishes, go to the download location and double-click on 
the icon for the Java Runtime Environment. 

8 When the installation program displays the Software Licensing Agreement, 
click on Yes to accept the agreement. 

9 When the installation program asks for an installation location, accept the 
default location or choose an alternate installation location. 

10 Click on Next > to finish the installation. 
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11 When the installation is complete, close all open Web browsers. 

12 Reboot the computer for the changes to take effect. 

Using Netscape 6 

Netscape 6 currently includes a version of the Java 2 Plug-in that is not supported 
(version 1.3.01). To successfully load the Contivity Stateful Firewall Manager, 
you must use version 1.3.0. The following steps change the default plug-in from 
version 1.3.01 to version 1.3.0. 

1 Install the Java 2 Runtime Environment 1.3.0 as described above and be sure 
to restart the computer. 

2 Load the Java Plug-in Properties from Start>Settings>Control Panel>Java 
Plug-in. 

3 Click on the Advanced tab. 

4 Choose JRE 1.3.0 ... from the list. 

5 Click on Apply. 

6 Close the window. 

7 Close all open instances of Netscape. 

8 Restart Netscape. The correct plug-in should be available. 

Using Netscape on Solaris 

The Java 2 Runtime Environment for Solaris is available on the Nortel Networks 
CD. The installation files and instructions are available for x86 and SPARC 
platforms. 

To install the Java 2 software on Solaris (OS 2.6, 7, 8) from Netscape Navigator: 

1 Ensure that a version of Netscape is installed on the computer. 

2 Close all instances of Netscape if any are opened. 

3 Go to the tools/java/solaris directory on the Nortel Networks CD. 

4 Choose the subdirectory for the installed platform, either intel for x86 or spare 
for SPARC. 

5 Copy the binary (.bin) and the README files to the computer. 
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6 Follow the platform-specific installation instructions contained in the 
README file. 

7 Set the NPX_PLUGIN_PATH environment variable to the directory 
containing the javaplugin.so file. 

For example, if the J2RE was installed in the /usr/j2rel.3 directory, the 
command to set the NPX_PLUGIN_PATH from the C shell, it would be 

setenv NPX_PLUGIN_PATH "/usr/j2rel.3/plugin/spare on 

a SPARC platform." From the C shell, it would be setenv 
NPX_PLUGIN_PATH "usr/ j 2rel.3/plugin/i386 on a x86 
platform ." 

8 Start Netscape and then close it. 

9 Start Netscape again and the plug-in should be available. 


Initial Configuration 

To use the firewall on the Contivity VPN Switch, you must first enable the 
firewall service. Without the firewall enabled, the switch only handles traffic on 
the tunnel interfaces. When the firewall is enabled, the switch can also handle IP 
traffic between the physical interfaces and the tunnel interfaces. 

You must create rules for tunnel traffic before traffic on existing tunnel definitions 
is allowed. The Contivity Stateful Firewall uses the principle that whatever traffic 
is not specifically allowed is disallowed. The rule set of the active policy is 
applied to all traffic, including tunneled and non-tunneled traffic.Therefore, when 
the Contivity Stateful Firewall is first enabled, all traffic is disallowed until you 
configure rules specifically allowing certain types of traffic. 

To get started using the firewall, follow these steps: 

1 Go to the System->LAN screen. For each interface, click on Configure and 
enter a one-word label in the Description field. You use this name to identify 
interfaces in the security policy rules. LAN represents the physical port 
interface to which you assign an IP address. Slot n Interface n represents an 
optional LAN card in expansion Slot n using Interface n. 
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For example, you could make Internet the description for Slot 1 Interface 1 
and ServiceNet the description for Slot 2 Interface 1. The description is case 
sensitive and cannot be abbreviated when specifying the interface in the rules. 
If you do not specify a description, the default name for the interface is “Slot n 
Interface 1” («= 1 to 4) is case sensitive, and cannot be abbreviated. 

2 Go to the Services—>Firewall/NAT screen. 



3 Check the boxes next to Contivity Firewall, Contivity Stateful Firewall, NAT, 
and Anti-spoofing. 

4 Click on OK. A confirmation screen appears asking if you want to reboot. 

5 Click on Later. 

6 Return to the Services-sFirewall/NAT screen. 

7 Click on the Edit button next to the Contivity Firewall. Again a screen appears 
asking if you want to reboot. 

8 Click on OK. You must reboot the switch. On subsequent screens, confirm 
that the switch must be rebooted. 

9 After the switch reboots, return to the Services->Firewall/NAT screen. 
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10 Click on Manage policies to load the Contivity Stateful Firewall Manager 
applet. The first time you do this on any workstation, you need to load the 
Java applet. You see the message “Retrieving policies.” 

11 Select the System Default policy, which is read-only. 

12 Click on the View button to review this policy. The implied and post-implied 
rules are included with every new policy. 


tnp>W hitei | Ln*iiib HLMri ! rlriin 3pirJi riLHH rtstl itiemI hiJiu | 



13 To exit the Contivity Stateful Firewall Manager, click on Manager^Exit. You 
can toggle the browser windows between the Contivity Stateful Firewall 
Manager applet and the Services->Firewall/NAT screen. If you use your 
browser to change other settings on the switch while the Contivity Stateful 
Firewall Manager applet is running, these changes are not reflected in the 
current Contivity Stateful Firewall Manager applet. Click on the Firewall icon 
in the Contivity Stateful Firewall Manager applet to refresh the list of policies 
and other switch settings. Any changes made in the Contivity Stateful 
Firewall Manager applet are not evident in the Services->Fircwal 1/N AT screen 
until you save a policy. 

14 After you exit the Contivity Stateful Firewall Manager applet, click on 
Refresh on the Services->Firewall/NAT screen. 


You can apply (assign) a policy to the firewall in either the Contivity Stateful 
Firewall Manager applet or the Services->Firewall/NAT screen. The new policies 
you create are not automatically applied to the firewall. Only one policy at a time 
can be in effect on the firewall. 


Note: You cannot import or import new policies. However, there are no 
restrictions on creating new policies. 
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Contivity Firewall options 

The following options control the amount of detail recorded in the event log. 
None of these options apply to the system log. 

• All - includes Traffic, Policy Manager, Firewall, and NAT 

• Traffic - logs when flows and conversations arc created or removed 

• Policy Manager - logs firewall processes and when rules and policies are 
created 

• Firewall - logs how the firewall handles packets within a flow 

• NAT - logs NAT-related events 

• Debug - creates special log messages intended for use only by Nortel 
Networks customer support 

You can also select a connection number, which allows you to reserve memory for 
a maximum number of connections. Determining the optimum memory allocation 
makes it easier to tune your system for firewall traffic. Under the Connection 
Number section, type in any connection number. Below the box for the connection 
number is a suggested number range. The range displayed varies depending on the 
model and amount of memory for your switch. Each IPSec tunnel requires two 
connections. Setting the connection number to the minimum number in the 
number range minimizes the number of IPSec tunnels that your switch can handle 
and maximizes the size of dynamic memory available to the other firewall 
processes. Nortel Networks recommends that you set the number near the middle 
of the range displayed unless you have specific requirements that you need to 
consider. 


Setting up policies on the firewall 

Firewall service consists of two primary components: the service properties and 
the security policy. The properties that define what service is being offered include 
a service name, the protocol (TCP, UDP, ICMP), and the port number (or range) 
on which the server listens. 
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Security policies consist of a set of rules that specify what traffic is allowed or 
denied. You can define custom policies when more complex security policies arc 
needed and the standard policies arc not sufficient. By customizing your policies, 
you can further refine the control over what traffic is allowed on your internal 
networks. 

The firewall policies use standard actions, which represent the most commonly 
used policies. You can use the following actions individually or combine them in a 
single rule: 

• Allow (accept) access if traffic arrives on a specified interface (source 
interface rule) 

• Allow access if traffic from the firewall is to a specified interface (destination 
interface rule) 

• Allow access if traffic is from a specific host or group of hosts 

• Allow access if traffic is going to a specific host or group of hosts 

• Allow access if traffic is a specific service 

• Deny access (drop) or deny access and send a reject packet (reject) if 
specified as modifiers to the previous actions 

A set of rules defines a specific security policy. A rule defines whether 
communication should be accepted or rejected (or logged) based on its source, 
destination, and service. 

You must create rules for tunnel traffic before traffic on existing tunnel definitions 
will be allowed. The Contivity Stateful Firewall uses the principle that whatever 
traffic is not specifically allowed is disallowed. The rule set of the active policy is 
applied to all traffic, including tunneled and non-tunneled traffic.Therefore, when 
the Contivity Stateful Firewall is first enabled, all traffic is disallowed until you 
configure rules specifically allowing certain types of traffic. 

Creating and editing firewall policies 

Access control parameters arc implemented through the graphical user interface 
or the command line interface (CLI). Using either interface, you can configure the 
following: 

• Network objects 

• Service objects 
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• Rules 

See Chapter 5, “Command Line Interface” for a list of commands you can use on 
the CLI. 

The security policy is a set of rules describing the required behavior of the service. 
You specify all rule fields for service policies using service objects. Each rule 
consists of a combination of network objects, services, actions, and logging 
mechanisms. 

Navigating rules 

The firewall policy edit screen allows you to add, delete, and modify the rules in a 
policy. This screen is divided into the following rule groups: 

• Implied rules 

• Override rules 

• Interface-specific rules 

• Default rules 

• Post-implied rules 

Rules arc divided into the following types: 

• Implied rules are processed first by the firewall. These rules permit tunnel 
termination and access to the management interface. They arc derived from 
the Services—>Available screen settings. 

• Override rules arc the first set of rules specified in the policy. These rules 
allow you to quickly override the rest of the rules in the policy, possibly for a 
short period while debugging a problem. These rules do not specify a specific 
interface in the source or destination interface column. You may only select 
from the interface groupings (Any, Trusted, Untrusted, TunnekAny). 

• Interface-specific rules are rules that apply only to packets that enter or leave 
the switch through one specific interface (physical or tunnel). The 
interface-specific section is divided into two types: source rules and 
destination rules. Source rules arc those rules that define the selected interface 
as their source and destination rules arc those rules that define the selected 
interface as their destination. The interface names correspond to the names 
that you configured on either the System—>LAN or System—>WAN screen on 
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your switch. On these screens, you can also specify whether these interfaces 
are private or public. For tunnels that are also interfaces, you can specify 
either a group name for user tunnels or the specific branch office tunnel for 
branch office tunnels. 

• A default rule set is applied to all packets for which a rule was not found in 
the set of interface-specific rules. These rules cannot specify specific 
interfaces in the source or destination interface columns and can only use 
interface groupings (Any, Trusted, Untrusted, TunnekAny). 

• Post-implied rules allow RSVP, ICMP, LDAP and RADIUS access and access 
by routing protocols on trusted interfaces. You cannot configure these rules 
and the last post-implied rule is to drop all traffic that was not handled by a 
prior rule. However, you can override these rules by specifying a rule in one 
of the three rule groupings (override, interface-specific, or default). 

Implied rules 

The implied (Figure 1) rules are rules that are defined by the system. You cannot 
modify them using the Contivity Stateful Firewall Manager. These rules are 
read-only and you cannot modify any part of the rule. They are generated from the 
Services->Available screen on the switch. These sections are for display puiposes 
only. 


Figure 1 Implied rules 
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Override rules 

Rules that are specified in the override rules (Figure 2) are the first set of rules 
specified in the policy. The purpose of these rules is to allow you to quickly 
override the rest of the rules in the policy, possibly for a short period while 
debugging a problem. These rules do not specify a specific interface in the source 
or destination interface column. You can only select from the interface groupings 
(Any, Trusted, Untrusted, TunnekAny). 

Figure 2 Override rules 
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Interface-specific rules 

Interface-specific rules are rules that only apply to one specific interface (physical 
or tunnel). The interface-specific rule section (Figure 3) has a selection box that 
allows you to select the interface to display rules. The interface-specific rule 
section only displays one interface at a time. In order to view all of the 
interface-specific rules, select All Interfaces. This screen has a column that 
denotes which rules are source and destination rules. 
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Figure 3 Interface-specific rules 
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Selecting an interface from the selection box displays those rules that apply to the 
selected interface. If you select Branch Office Tunnel or User Tunnel from the 
primary selection box, a new selection box appears next to it that contains the 
branch office tunnels or user groups. This box disappears if you later select a 
physical tunnel. 

The interface-specific section is also divided into two types: source rules and 
destination rules. Source rules are those rules that define the selected interface as 
their source and destination rules are those rules that define the selected interface 
as then - destination. You can toggle between the two types of rules for a particular 
interface by clicking on the Source Rules or Destination Rules radio button. 

When you add a rule to the interface-specific section, the rule is created as the 
same type as the one you are currently viewing. 

If you are viewing the source rules (Figure 4) and you add a new rule from that 
screen, it is a source rule. The source interface field on a source rule is set to the 
current interface and is read-only. The destination interface field can contain any 
physical interface, tunnel, or interface grouping. 
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If you are viewing the destination rules (Figure 5) and you add a new rule from 
that screen, it is a destination rule. The destination interface field on a destination 
rule is set to the current interface and is read-only. The source interface field can 
only contain interface groupings (Any, Trusted, Untrusted, TunnehAny). 

Figure 4 Source interface rules 
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Figure 5 Destination interface rules 
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Default rules 

A default rule (Figure 6) is a rule that is applied to all packets for which a rule was 
not found in the set of interface-specific rules. These rules cannot specify specific 
interfaces in the source or destination interface columns and can only use interface 
groupings (Any, Trusted, Untrusted, TunnehAny). 
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Figure 6 Default rules 
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Post-implied rules 

The post-implied (Figure 1) rules are rules that are defined by the system. You 
cannot modify them using the Contivity Stateful Firewall Manager. These rules 
are read-only and you cannot modify any part of the rule. They arc generated from 
the Services->Available screen on the switch. These sections are for display 
purposes only. 

Figure 7 Post-implied rules 



Performing actions on rules 

The actions that you can perform on rules are controlled by menus that you access 
by right-clicking on an option. Each of these menus controls a different aspect of 
the rule. 
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Header row menu 

Right-clicking on any of the header cells brings up the Header row menu 
(Figure 8). This menu contains one item. Add New Rule. This menu item allows 
you to add a new rule to the top of the list. The new rule appears in position one 
and all existing rules increment by one. 


Figure 8 Header row menu 
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Row menu 

Right-clicking on the number field in a row activates the row menu (Figure 9). 
This menu allows you to add a new rule at a particular location, delete the specific 
rule, and perform cut/copy/paste operations on a rule. 

Figure 9 Row menu 
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Cell menus 

Cell menus (Figure 10) are specific to each cell and you trigger them when you 
right-click on an individual cell. There are two types of cell menus: option menus 
and procedure menus. Option menus provide a list of possible values for the cell. 
These menus are similar to a drop-down list box. When you click on one of the 
items, the selection is displayed in the cell. 

Figure 10 Cell menu (option) 



Procedure menus (Figure 11) provide a list of operations that you can perform on 
the cell, such as Add and Edit. When you click on one of the items, either the 
operation is performed immediately (such as Copy) or an additional dialog box 
appears, prompting you for more information (such as Add). 

Figure 11 Cell menu (procedure) 
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Rule columns 

Each rule within a firewall policy has the same attributes, which are specified by 
the column headers. All of the columns behave the same as in all three sections, 
except the Src Interface and the Dst Interface columns. These two columns 
behave differently depending on the section where the rule appears. The following 
sections describe the columns within a firewall rule: 

# 

This column specifies the ordering of the rules within the section. The order only 
applies to the section in which the rule appears and does not have meaning across 
the entire policy. If you log a rule, this number (#) is included in the log 
information. 

Src interface and Dst interface 

These columns specify the source and destination interfaces for the rule. 
Right-clicking on the cell displays an option menu containing possible interfaces. 
What appears in this option menu depends on which section of the Firewall policy 
the particular column appears in. For the Override and Default rules, the interfaces 
may only be interface groupings. These groupings are: 

• Any - Any physical interface or tunnel 

• Trusted - Any private physical interface or tunnel 

• Untrusted - Any public physical interface 

• TunnekAny - Any tunnel, excluding any physical interfaces 

Figure 12 shows an example of a rule column. 

Figure 12 Rule column 
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For the interface-specific rules, you can specify the interfaces as either groupings 
or individual interfaces. 

Figure 13 shows a rule column for interface-specific rules. 

Figure 13 Rule column for interface-specific rules 



Clicking on the user tunnel (Figure 14) or branch office (Figure 15) menu items 
displays the tunnel selection dialog box. This dialog box allows you to select a 
specific tunnel (branch office or user tunnel). 

Figure 14 Tunnel dialog box for a user tunnel 
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Figure 15 Tunnel Selection dialog box for a branch office tunnel 



Source and Destination 

These columns specify the source and destination addresses for the rule. You can 
modify these attributes by right-clicking on a column in the cell, which then 
brings up a procedure menu. 

Clicking on Add displays the Network Object Selection dialog box (Figure 16). In 
this dialog box you define and apply a new network object. You can create the 
following network objects: host, network, IP range, and group (a collection of 
these objects). 


Note: It is possible to add more than one source or destination address 
to a rule. 
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Figure 16 Network Object Selection dialog box 



Italicized objects in the list are read-only and cannot be modified. The New, Edit, 
and Delete buttons in this dialog box allow you to create, edit and delete network 
objects. 

Clicking on Edit displays the Network Object Edit dialog box (Figure 17). This 
dialog box allows you to modify the attributes for the selected network object. 

Figure 17 network object edit dialog box 



Clicking on Delete removes the selected network object. If the object that you 
want to delete is the last object, it returns to the default value. 
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Clicking on Copy, Cut, or Paste performs those operations on the current network 
object. 

Service 

This column specifies which services are handled by the selected rule. 
Right-clicking on the cell displays the standard procedure menu (Add or Edit). 

Clicking on Add triggers the Service Object Selection dialog box (Figure 18), 
which allows you to define and apply a new service object. You can create the 
following service objects: tcp, udp, icmp, ip protocol, and object groups (a 
collection of these objects). 



Note: It is possible to add more than one service to a rule. 


Figure 18 Service Object Selection dialog box 



Italicized objects in the list are read-only and cannot be modified. The New, Edit, 
and Delete buttons in this dialog box allow you to create, edit and delete network 
objects. Clicking on Edit displays the Service Object Edit dialog box (Figure 19). 
This dialog box allows you to modify the attributes for the selected service object. 
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Figure 19 tcp object insert dialog box 



Clicking on Delete removes the selected service object from the cell. If the object 
to be deleted is the last object in the cell, the cell returns to its default value (in this 
case, Any). 

Clicking on Copy, Cut, or Paste performs those operations on the current service 
object. 

Action 

This column (Figure 20) specifies the action that occurs when the rule is activated. 
Right-clicking on the cell displays an option list containing three items: Accept, 
Drop, and Reject. Clicking on one of these items sets the cell to the selected state. 

Figure 20 Action column options 
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Log 

The Log column (Figure 21) allows you to specify the logging level for this rule. 
Right-clicking on this cell brings up an option list containing the following 
logging levels: None, Brief, Detail, and Trap. 

Figure 21 Log column options 
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Status 

This column (Figure 22) specifies the status of the particular rule. The status can 
be either Enabled or Disabled. 

Figure 22 Status column options 



Remark 

This column allows you to attach a remark to a particular rule. When you right 
click on Remark and choose Add or Edit remark, a dialog box appears where you 
can type a comment. 
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Creating policies 

The Firewall - Select Policy screen (Figure 23) allows you to create, edit, delete, 
copy, or rename a firewall policy. Bold denotes the policy that is currently applied 
to the Contivity VPN Switch and italics denotes read-only policies. The System 
Default policy is always listed. This read-only policy defines the firewall behavior 
when no user-defined policies have been applied or when the selected policy is 
not available (for example, if LDAP is not available). 

Figure 23 Firewall - Select Policy screen 



You can add, modify or delete the rules for a policy. The screen is divided into 
sections that denote the rule groups. If you upgrade to a new version, the current 
configuration is copied to the new version. If you either upgrade or downgrade to 
a previous version, the configuration file and LDAP database are saved and 
restored. 

Adding a policy 

To add a new policy: 
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1 Click on the New button. The New Policy dialog box appears and prompts 
you for a name for the new policy. 



2 Enter the policy name. The name must begin with a letter and may not contain 
the : + = characters. 

3 Click on OK to go to the Policy Edit screen, which has a blank firewall policy, 
or click on Cancel to return to the policy selection screen. 

Refer to the “Navigating rules” section to set up rules for your new policy. 

Deleting an existing policy 

You cannot delete a read-only policy or the policy that is currently applied to the 

switch. If you select one of these policies, the Delete button is not enabled. To 

delete an existing policy: 

1 Select the policy that you want to delete and click on the Delete button. The 
delete policy confirmation dialog box appears. 



2 Click on OK to delete the selected policy. 

Copying an existing policy 

To copy a firewall policy: 

1 Select the policy that you want to copy. 
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2 Click on the Copy button. The copy dialog box appears. 



3 Enter a name for the copied policy. 

4 Click on OK. 

The new policy appears in the list of policies in the firewall policies screen. This 
policy contains the same rules as the policy from which it was copied. 

Renaming an existing policy 

You cannot rename a read-only policy or the policy that is applied to the switch. If 
you select a read-only policy, the Rename button is not enabled. To rename an 
existing firewall policy: 

1 Select the policy that you want to rename. 

2 Click on the Rename button. The Rename dialog box appears. 



3 Enter the new name of the policy. 

4 Click on OK. 

Creating a new policy example 

Complete the following steps to configure your firewall policies. 
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1 Log in to the switch. Select Services—>Firewall/NAT. The Firewall/NAT 
screen appears. 


2 



Under Configuration, click on the Enabled radio button next to Contivity 
Firewall. 


3 Click on the Manage Policies button. The Firewall - Select Policy screen 
appears. 
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4 Click on New to create a new policy. The New Policy dialog box appears. 




i irv■ unin^ir 
>!hmi 
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i . -i -• 


5 Enter the policy name and click on OK. The name must begin with a letter and 
may not contain the : + = ],; " characters. The Firewall - Edit Policy: 
<policyname> screen appears with no rules defined. In this screen, you can 
add, delete, and modify the rules for the policy. 



6 You can select the rule group as follows: 


• Implied rules (view only) 

• Override rules 

• Interface-specific rules 

• Default rules 

• Post-implied rules (view only) 

7 Select the Interface Specific Rules tab. 

8 Select the interface from the drop-down list. 
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9 Select either Source Interface Rules or Destination Interface Rules. 



10 Right-click on the appropriate cell to add a new rule. 



11 Repeat these steps to add more rules. 

12 Select Policy and click on Save Policy to save your changes. 



13 When the policies are saved, go to the Manage menu and click on Close 
Manager. 
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Successful completion of these steps indicates that your switch’s firewall is 
functioning and that the switch’s routing patterns are available. 


Verifying your configuration 

When you complete the configuration tasks for the firewall, you should check the 

switch’s routing patterns. To verify that the firewall functions properly, you can 

use a procedure similar to the following: 

1 Make sure the firewall is using a security policy that allows the type of traffic 
you use for the test (or you can use an Accept All policy for the testing). 

2 Verify public-to-private traffic. Perform an FTP operation from a host on the 
public side of the switch to a host on the private side. 

3 Verify private-to-public traffic. Perform an FTP operation from a host on the 
private side of the switch to a host on the public side. 

4 Verify tunnel-to-internal network traffic. Connect a remote Contivity VPN 
Switch system to the local switch. From the client, access a Web page on the 
internal network. 

5 Verify tunnel-to-Internet traffic. Connect a remote Contivity VPN Client 
system to the switch. From the client, access a Web page on the Internet. 
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Chapter 3 

Configuring Interface NAT 


This chapter describes the steps for setting up Interface NAT. 


Network Address Translation (NAT) 

Network Address Translation (NAT) is the translation of one IP address that is 
used in the network to a different IP address that is used outside the network. This 
feature allows a system to be identified by one address on its own network, yet be 
identified by a totally different address to systems on a different network. 

NAT enables private networks with private addressing to communicate with a 
public network (Internet) that require public addresses. Typically, companies use 
private addresses to increase the security of an intranet by hiding the internal IP 
addresses. 

NAT allows privately addressed networks (within an intranet) to use IP addresses 
that arc not assigned to them by the Internet Assigned Numbers Authority 
(IANA); for example, a 10 .n.n.n network address. NAT converts such an internal 
addressing scheme to an IANA-assigned address before sending a packet out to 
the public Internet (outside the intranet). This translation generally occurs in a 
network edge device such as the switch or a router. 

Translation types 

Static addresses map internal IP addresses to external IP addresses. This mapping 
does not change (unlike dynamically mapped addresses). For example, if host 
10.0.0.1 is translated to 192.165.0.1 using a static rule, then an Internet host, 
192.168.1.1 can initiate an FTP session using the translated external address. A 
host name using this rule is always bound to the same external address. For 
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example, 10.2.3.2 within the intranet is always translated to 192.168.34.65. A 
static NAT rule allows external hosts to initiate connections to internal hosts. 
Figure 24 shows how IP addresses ar changed going from outside (Internet) to the 
internal network and from internal network to the Internet. 


Figure 24 Static address translation 
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Dynamic rules include either port addressing or pooled addressing. The rules arc 
dynamic because an address is assigned to a port or is assigned from a pool, 
depending on the specific situation and the conditions that currently exist for that 
situation. Both port and pooled addresses require external end addresses (unlike 
static addresses, which do not). 

Unlike static rules, dynamic port NAT is not one-for-one. All packet transmissions 
must be initiated from the internal network. For dynamic port translation, the 
switch checks to see if the packet matches any translation table entries. If an entry 
exists, then it modifies the destination port and address appropriately. If there are 
no matching entries, the switch checks to see if the packet is initiating a 
connection. If so, then it allocates the next available port, adds the address and 
port to the translation table, and modifies the packet accordingly. It allocates the 
port assignment from the range of unassigned port numbers. For an incoming 
packet, if there arc no matching entries in the translation table, it drops the packet. 

Figure 25 shows how source packets from 10.0.0.1 are translated to 192.168.0.1, 
through port address translation for all packets from the lO.O.x.x network. 
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Figure 25 Port address translation 
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Dynamic pooled NAT is similar to dynamic port NAT. The switch checks to see if 
an address entry has already been allocated for this situation. If so, it updates the 
packet addressing and sends the packet. Otherwise, the switch attempts to allocate 
an address from a pool designated for this session. If an address is available, the 
switch adds the address pair (the original private address and the newly assigned 
public address) to the translation table and modifies the packet header. If there are 
no addresses available, it drops the packet. For an incoming packet, if there are no 
matching entries in the translation table, then it drops the packet. 

Figure 26 shows how source packets from 10.0.0.1 are translated to an address 
from the pool 192.168.0.1 to 192.168.0.254, through pooled address translation 
for all packets from the I 0.0.x.x network. 
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Figure 26 Pooled address translation 
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Interface NAT 

NAT sets are collections of rules that make up a named set. You can create 
specific NAT sets for certain conditions, and assign the sets as they arc 
appropriate to the conditions. NAT sets are applied to Interface NAT using the 
Services->Firewall screen. 

Interface NAT rules can be one of the following types: 

• Static - for static mapping, an internal address range is mapped “one to one” 
to an external range. 

• Port - for port mapping, the range of internal addresses is hidden behind a 
single external address. These external addresses are distinguished by using 
dynamically assigned port numbers. 

• Pooled - for pooled mapping, an internal address is dynamically mapped to 
the next available address from the external address range. 


Enabling interface NAT policies 

To configure a new interface NAT policy: 
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1 Go to the System->Firewall NAT screen. 

2 Click on the Interface NAT check box under the Enabled column. The NAT 
Set list box shows the currently selected NAT set and lists any additional NAT 
sets. 



3 Click on the NAT Configuration link to go to the NAT Set page. 
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4 To create a new NAT set, type the name of the NAT set and click on the Create 
button. The NAT—>Edit Set screen appears with (No rules currently defined) 
in the NAT Rules list box. 
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5 Click on the Add Rule button to add the rule. The NAT—> Add Rule screen 
appears. 



6 Under Translation Type, select Static, Pooled, or Port from the drop-down list. 

7 Under Internal, enter the start (first available) and end (last available) 
addresses that represent the address pool that is used within the intranet. 

8 Under External, enter the Starting External address for the address range. If 
the translation type is Pooled, then you must also enter an Ending External 
address. 

9 Click on OK. 

10 Click on Close to return to the NAT screen. 

11 Click on the NAT Configuration link to go to the Profiles—>NAT Sets screen 
to create a new NAT set if you do not want to use any of the existing ones. 

12 You can use the Return to Fire wall/NAT screen link to go back to this screen 
and apply the new NAT set. Selecting Interface NAT applies to non-tunneled 
traffic only. It does not affect the NAT sets applied to branch office tunnels. If 
any branch office tunnel NAT sets are assigned, they remain in effect for those 
branch office tunnels. 
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To edit an existing NAT set: 

1 Go to the System->Firewall NAT screen. 

2 Click on the Interface NAT check box under the Enabled column. On the NAT 
screen, the NAT Set list box shows the currently selected NAT set and lists 
any additional NAT sets. 



3 Select the NAT set that you want to edit and click on the Edit button. The 
NAT—>Edit Set screen appears. 

4 Select the rule within the policy that you want to edit and click on the Edit 
button. 

To delete a NAT set: 

1 Go to the SystenwFirewall NAT screen. 

2 Click on the Interface NAT check box under the Enabled column. The NAT 
Set list box shows the currently selected NAT set and lists any additional NAT 
sets. 
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3 Select the NAT set that you want to delete and click on the Delete button. The 
NAT—>Delete Set screen appears, asking if you arc sure you want to delete the 
NAT set. 

4 Click on OK. This returns you to the NAT screen. 
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Chapter 4 

Monitoring the Firewall 


This chapter describes how to use logging and reporting on the switch to monitor 
the usage and tune the firewall. It also uses SNMP traps to notify you of any 
unusual activity. You can use a number of the same methods that you use on your 
switch to gain information about firewall activity. For comprehensive details on 
these utilities, see Configuring the Contivity VPN Switch or the switch’s on-line 
help. 


Logging 


The Contivity Stateful Firewall logs the following events: 

• Changes made to a policy in the config log 

• Traffic handled by the firewall in the event log and the system log 

• Detailed firewall events in the event log only 

The firewall logs the following events in the config log: 

• Name of any new policy created 

• Name of any deleted policy 

• New rules added to a policy 

• Rules deleted from a policy 

• Modifications to any rules 

When the firewall handles traffic, the following details arc written to the event log 
and also kept in the system log: 

• Source IP and port 

• Destination IP and port 
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• Action (allow, drop or reject) 

• Rule number that was enforced 

You can identify these messages by the tag CSFW. 

You can control how much information is written to the system log, according to 
the option selected in the Log column (field) of each rule, as follows: 

• None - no logging 

• Brief - record only the connection information 

CSFW [13] Rule [DEFAULT 5] Firewall: 
[47.130.130.168:46929-201.134.251.2:135, tcp], action: Allow 

• Detail - record both the connection information, plus the first 20 bytes of the 
IP header, and the first 20 bytes of the TCP or UDP header 

CSFW [13] Rule [DEFAULT 5] Firewall: 
[47.130.130.168:46929-201.134.251.2:135, tcp], action: Allow 

CSFW [13] Ip Hdr: Hex[45 00 00 2c a3 78 40 00 fd 06 7c 01 2f 82 82 a8 2f f8 
7c 2f] 

CSFW [13] UDP/TCP Hdr: Hex[b7 51 00 87 be 04 2b be 00 00 00 00 60 02 
22 38 76 01 00 00] 

• Trap - same as Detail, and also trap these records 

You can also send the system log records to another host using syslog. For more 
information, refer to Reference for the Contivity VPN Switch. 

The following events arc recorded only in the event log: 

• Tunnels 

• Security 

• Backups 

• Detailed firewall events such as conversations and flows 

• Changes to hardware 

• Daemon processes 

• Changes to software drivers 

• Interface card driver events 
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• Debugging messages 

The event log consists of approximately 2000 records, which are kept in memory. 
When it is full, the oldest record is over written by the newest entry. The event log 
clears when you use the clear button in the GUI, or clear command in the CLI. 
The event log is written to disk only when you run the “show logging events” CLI 
command. 

You can control how much information is written to the event log concerning the 
detailed firewall events. On the Firewall/NAT—>Edit screen, there are six logging 
options: 

• All - includes Traffic, Policy Manager, Firewall, and NAT 

• Traffic - logs when flows and conversations are created or removed 

• Policy Manager - logs firewall processes and when rules and policies are 
created 

• Firewall - logs how the firewall handles packets within a flow 

• NAT - logs NAT-related events 

• Debug - creates special log messages intended for use only by Nortel 
Networks customer support 

Firewall event logs are maintained on the switch. To view logging for the firewall, 
go to Status—>Event Fog. Firewall entries use the CSFW identifier. 

To view firewall events, go to the Status—>System Fog (or Status—>Event Fog) 
screen or use the show logging system (or show logging events) command in the 

CFI. 


SNMP traps 

The switch supports SNMP MIB II using Gets. SNMP traps allow you to react to 
events that need attention or that might lead to problems. Through the community 
name, you can define the management stations that receive the SNMP traps. The 
switch supports all of the SNMP management stations including HP Open View, 
IBM NetView 6000, Cabletron Spectrum, and Sun Net Manager. 
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The switch allows the scripting of SNMP alerts so that a combination of system 
variables can signal an SNMP trap. When a trap occurs, the Nortel Networks icon 
on a standard management station turns red, signaling that there is a problem. The 
operator double-clicks on the icon, which then opens the browser to the Nortel 
Networks management interface. 

The SNMP Trap Settings display (Admin—>SNMP—>Trap Settings) allows you to 
specify the level of severity that is reported for the trap. You can also specify that 
the trap be sent only once. The Name column lists the traps that arc available for 
your firewall and provides status of the firewall that is currently enabled on the 
switch. 

You can view the Health Check screen for the results of SNMP Traps. 

You can also use the Health Check page to check on the current state of the 
Contivity Stateful Firewall. If it is running normally, the entry for the firewall is in 
an OK state and displays a “Contivity Stateful Firewall Active” message. If you 
arc running the system default policy, the firewall displays a “System default 
policy in effect for Contivity Stateful Firewall” message. If there is an error with 
the current policy, the firewall entry is in an Alert state with the message “LDAP 
policy parse failed - using system default policy.” 


Reports 


The Status->Reports screen on the switch allows you to view system and 
performance data in text or graphical format. You can generate current or 
historical graphs of valuable system data. With the reports feature, you can either 
view a comprehensive display or download reports on firewall activity. 

Clicking on Graph causes a Java applet to be loaded into your browser. When 
there, you can choose between graph types and time features. The first time you 
click Graphs, it can take a few minutes for the graphing package to download over 
a dial-up interface. Thereafter, it is cached and appeal's quickly. 
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Chapter 5 

Command Line Interface 


This chapter describes the Contivity Stateful Firewall Command Line Interface 
(CLI). The CLI enables you to configure the switch via a telnet or serial port 
session. For information on CLI commands for your switch, see Reference for the 
Contivity Extranet Switch Command Line Interface. 


Accessing the CLI 

Access from a telnet session 

You access the CLI by starting a telnet session to the switch's management IP 
address, for example: 

telnet 10.0.16.247 

You then log in to the switch using an account with administrator privileges, for 
example: 


Login: admin 
Password: ******* 

CES> 

Upon login, the CLI prompt appeal's (CES>), indicating that you are in the CLI 
Exec Mode. You can execute any User Exec Mode commands or change the 
command mode in order to execute other commands. You can have only four 
telnet sessions running at one time. Each telnet session times out if idle for the 
amount of time set. If you change the idle time-out, it applies only to telnet 
sessions made after this change. 
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Access from the Serial Port menu 


You can access the CLI through the Serial Port menu if you have a serial port 
connection to the switch. Select L from the Serial Port menu, shown below, to 
access the CLI. Figure 27 shows the Serial Port menu. 

Figure 27 Serial Port menu 
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Command modes 

The switch CLI has three command modes. 

• User Exec Mode (User Mode)—This is the initial command mode when the 
administrator first establishes a telnet connection to the switch. It is also 
called Exec mode. You cannot modify configuration parameters or view the 
configuration file in this mode; however, you can clear a route. 

• Privileged Exec Mode (Priv Mode)—This command mode is entered from 
User Exec mode with the enable command. The administrator can exit from 
this mode with the disable command and be returned to User Exec mode. 
Priv Mode enables more commands than in User Exec mode. Exec commands 
arc typically one-time commands, for example, show commands and clear 
commands. To enter Priv mode, you must enter enable. If another 
administrator used enable password while in Global Config mode, the 
user trying to enter Priv mode must enter the correct password when 
prompted. To leave Priv mode and resume User mode, you can enter either 
disable or exit. To leave User mode and exit the telnet session or return 
to the Serial Port Menu, you must enter exit. User commands do not work 
in Priv mode. 

• Global Configuration Mode (Global Mode)—This mode allows the 
administrator to make changes to the switch running configuration. These 
changes are saved across switch reboots. This mode is also used to access 
other configuration modes, such as LDAP, FwPolicy, and NatPolicy. The 
administrator enters this mode from Privileged Exec mode using the 
configure terminal command. To leave this mode and return to 
Privileged Exec mode, enter exit or end. For further information on CLI 
modes, see Reference for the Contivity Extranet Switch Command Line 
Interface. 
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Table 1 defines the CLI modes, their prompts, and method of access. 


Table 1 CLI Modes, Prompts, and Access 


Mode 

Prompt 

Access 

User Exec Mode 

CES> 

Login via telnet with administrator name 
and password. 

Privileged Exec Mode 

CES# 

Enter the command enable at the User Exec 
Mode prompt. 

Global Config Mode 

CES (config)# 

Enter the command configure terminal at 
the Privileged Exec Mode prompt. 

Fw Policy Mode 

CES(fwpolicy)# 

Enter the command policy security in 

Global mode. 

Nat Policy Mode 

CES(natpolicy)# 

Enter the command policy nat in Global 
mode. 

Ldap Mode 

CES (ldap)# 

Enter the command ldap server in Global 
mode. 


The prompt reflects the current mode, the name of the device, and whether the 
user is privileged or not. If the user is privileged, the last character of the prompt is 
#. If not, the character is >. Use the enables or disables commands in the 
Exec mode to switch between privileged and non-privileged. 

The cursor shows where typed characters will be inserted. Using the keys 
described in the next section, “Key bindings,” it is possible to change the location 
of the cursor. You can type a line that is longer than the width of the screen. If you 
do, the line scrolls to the left (sliding window) to allow you to type in more 
characters. If you move the cursor to the far left, the line scrolls to the right. 

The terminal settings control the behavior of the Nortel Networks CLI (NNCLI) 
Parser. You can change the width of the terminal as well as the page length. 
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Key bindings 

You can use the Nortel Networks CLI commands to edit command line text 
entries. Table 2 describes key bindings for NNCLI. 

Table 2 Nortel Networks CLI (NNCLI) key bindings 


Keys 

Function 

control-A 

start of line 

control-B 

back 1 character 

control-C 

abort command 

control-D 

delete 1 character 

control-E 

end of line 

control-F 

forward 1 character 

control-H & 

delete character left of cursor 

control-I & 

command/parameter completion 

control-K 

delete all characters after cursor 

control-L & control-R 

re-display line 

control-N or down arrow 

next history command 

control-P or up arrow 

previous history command 

control-Q 

escape sequence for unprintables 

control-T 

transpose characters 

control-U 

delete entire line 

control-W 

delete word left of cursor 

control-X 

delete all characters before cursor 

delete character at cursor 

control-z 

“end” out of config mode 

? 

context-sensitive help 

esc-c & esc-u 

capitalize character at cursor 

esc-1 

convert character at cursor to lowercase 

esc-b 

backward 1 word 

esc-d 

delete 1 word to the right 

esc-f 

forward 1 word 
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Commands 

firewall 

This command turns the firewall on or off and specifies the firewall to use. 

Syntax 

firewall {checkpoint \ contivity I policy I policy-contivity} 
no firewall 

Parameters 

checkpoint Enables checkpoint firewall-1. 

contivity Enables contivity packet filters. 

policy Enables contivity stateful firewall. 

policy-contivity Enables contivity stateful firewall and contivity packet filters. 

Default 

No firewall 

Command mode 

Global configuration 

Next command mode 

Global configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

The specified firewall must be available. 

Warnings 

% xxx firewall does not exist 


Related commands 

filter 

policy 


Example 


CES (config) 
CES (config) 
CES (config) 
CES (config) 
CES (config) 


#firewall checkpoint 
ffirewall contivity 
#firewall policy 
#no firewall 

#firewall policy-contivity 
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firewall anti-spoof / tunnel filter / connection number 

This command turns on or off anti-spoofing or the contivity tunnel filter. It also 
allows you to assign a connection number for the Contivity Stateful Firewall and 
interface NAT. 

Syntax 

firewall {anti-spoof | tunnel-filter | connection-number number] 
no firewall {anti-spoof | tunnel-filter} 

Parameters 

anti-spoof Enables or disables anti-spoofing. 

tunnel-filter Enables or disables tunnel filters. They are always enabled 
when the Contivity Stateful Firewall is disabled, 
connection-number Specifies the number of boxes you want to connect to 
this switch. 

number This number is the connection number, which has a 

minimum and maximum number for different switches. 
This number cannot be beyond the min-max connection 
number range. 

Default 

Anti-spoofing defaults arc disabled. 

Tunnel-filter defaults are enabled (always enabled when Contivity Stateful 
Firewall is disabled). 

The default connection number is different for each switch and each has minimum 
and maximum connection numbers. 

Command mode 

Global configuration 

Next command mode 

Global configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 


Warnings 

% Invalid connection number 

% Connection number has to be between xxx and xxx on this switch! 


Related commands 

filter 

policy 


Example 


CES (config) 
CES (config) 
CES (config) 
CES (config) 
CES (config) 


ffirewall anti-spoof 
ffirewall tunnel-filter 
#firewall connection-number 1000 
#no firewall anti-spoof 
#no firewall tunnel-filter 
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firewall logging 

This command turns on or off different types of firewall-related logs that display 
different event logs. 

Syntax 

firewall logging {all \ traffic \ polmgr \ firewall I nat \ debug } 

no firewall logging {all I traffic I polmgr | firewall | nat I 
debug } 

Parameters 

all 

traffic 
polmgr 
firewall 
nat 
debug 

Default 

None 

Command mode 

Global Configuration 


Enables or disables all traffic, policy manager, firewall and 
NAT logging. 

Enables or disables traffic logging. 

Enables or disables policy manager logging. 

Enables or disables firewall logging. 

Enables or disables NAT logging. 

Enables or disables debug logging. 
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Next command mode 

Global Configuration 

Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

The specified firewall must be available. 


Example 


CES 

(config) 

#firewall 

logging 

traffic 

CES 

(config) 

#firewall 

logging 

polymgr 

CES 

(config) 

#firewall 

logging 

firewall 

CES 

(config) 

#firewall 

logging 

nat 

CES 

(config) 

#firewall 

logging 

all 

CES 

(config) 

#firewall 

logging 

debug 
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license 

This command enables or disables paid feature license keys. 

Syntax 

license install license-key 
no license license-key-prefix 

Parameters 

license-key Represents a valid paid feature license key. The first two 

characters of this key represent the license key prefix. Valid 
prefixes are f w (for firewall) and ar (for advanced routing). 
license-key-prefixTv/o character string that specifies which license key is 
removed. Valid license-key-prefixes arc fw (for firewall) and 
ar (for advanced routing). 


Default 

None 

Command mode 

Global Configuration 

Next command mode 

Global Configuration 
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Required Privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

% Failed to remove paid feature feature-name 
% Unknown paid feature feature-name 
% Invalid license key 

Related commands 

show license 

Example 

CES (config-natpolicy) #license install fw-7384034-0342859268-d4 
CES (config-natpolicy) Ino license fw 

Comments 

None 
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netobj 

This command adds, edits, or deletes the specific network object or netobj group 
for the user scope in the policy based firewall. Net objects of master scope are 
created dynamically and you cannot edit or delete them. 

Syntax 

netobj [add] name {host {ip-address} I 
network {network-address} 

ip-range { ip-addressl ip-address2} \ group} 
no netobj name 

Parameters 

add 

name 

host 

network-address 


network 
ip-range 

group 

Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 


Creates a new net object or group for the user scope, which can 
be assigned to policy rules. 

Name of net object or group for firewall policy to edit. You 
cannot create a name if it already exists. 

A network host that is specified by the IP address. 

The network address to be assigned to the specific network 
object such as host, network. This is of the form 
ip-addressl ip-mask. 

A network specified by an IP address and a mask. 

A range of IP addresses with a format s im ilar to 
IP-addresssl IP-address2. 

Creates a new netobj group with the specific name. It only 
works with keyword add. 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 


Warnings 

% Netobj xxx does not exist (when editing) 
% Netobj xxx already exists (when adding) 


Related commands 

netobj-group 
service 


Example 


CES 

CES 

CES 

CES 

CES 


(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 


fnetobj testl host 10.0.10.123 

#netobj add test2 ip-range 10.0.0.1 10.0.0.50 

#netobj test3 network 10.23.0.0 255.255.0.0 

#netobj testgroup group 

#no netobj test4 
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netobj-group 

This command adds, edits, or deletes the specific network object group for the 
user scope in the Contivity Stateful Firewall. Net object groups of master scope 
arc created dynamically and you cannot edit or delete them. 

Syntax 

netobj-group netobj-group-name {add I drop} netobj-names 

Parameters 

netobj-group-name Name of netobj group for firewall policy to edit, 
add Adds netobjs to the specific group. Netobj groups of master 

scope are created dynamically and cannot be edited, 
drop Removes netobjs from specific group. Netobj groups of master 

scope arc created dynamically and cannot be edited. 
netobj-names Names of the netobjs. Can be one or more. 

Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

% Netobj xxx is read-only 
% Netobj xxx does not exist 
% Netobj xxx is not a group 

% Netobj xxx already exists in group yyy (when adding a netobj) 

% Netobj xxx does not exist in group yyy (when dropping a netobj from a group) 

Related commands 

netobj 

service group 

Example 

CES (config-fwpolicy) #netobj-group testgroup add testl test2 
CES (config-fwpolicy) #netobj-group testgroup drop testl 
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policy nat 

This command creates a specified NAT set for the switch and puts the CLI into 
NAT configuration mode. 

Syntax 

policy nat [add] natname 
no policy nat natname 

Parameters 

add Creates a new NAT set for the switch. 

natname Name of NAT set to edit or add. 

Default 

None 

Command mode 

Global configuration 

Next command mode 

Nat policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

% NAT set xxx does not exist (when editing or deleting). 
% NAT set xxx already exists (when adding). 

Related commands 

policy 

Example 

CES (config) ipolicy nat add testnat 
CES (config) ipolicy nat testnat 
CES (config-natpolicy) #exit 
CES (config) #no policy nat testnat 
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policy nat interface 

This command turns on or off interface NAT and specifies the type of NAT policy 
to use. 

Syntax 

policy nat interface [enable I disable | assign natname ] 

Parameters 

enable Turns on interface NAT. 

disable Turns off interface NAT. 

assign Specifies a NAT set for interface NAT. 

natname Name of NAT set to assign. 

Default 

None 

Command mode 

Global configuration 

Next command mode 

Global configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

% NAT set xxx does not exist! 

% Interface NAT is already enabled! 

% Interface NAT is already disabled! 

Related commands 

policy security 
policy nat 

Example 

CES (config) ipolicy nat interface enable 
CES (config) ipolicy nat interface disable 
CES (config) ipolicy nat assign mynatset 
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policy security 

This command puts you in firewall policy configuration mode for the given policy 
name. If you specify the optional add parameter, the command creates the 
specified policy and enters firewall policy configuration mode. If the optional 
assign parameter is specified, the command assigns a specific policy to the 
switch and remains in global configuration mode. If you specify neither add or 
assign, the command enters firewall policy configuration mode and opens the 
specified policy for editing. The no form of this command deletes the specified 
policy from the switch. 

Syntax 

policy security [{add |assign}] policy-name 
no policy security policy-name 

Parameters 

security 
add 

assign 
policy-name 

Default 

None 

Command mode 

Global configuration 

Next command mode 

Firewall policy configuration for adding and editing 
Global configuration for assigning 


Settings for the security policy. 

Creates a new policy for the policy-based firewall, then puts the 
CLI into firewall policy configuration mode. 

Specifies one policy to be used for the current firewall. 

Name of policy for the policy-based firewall to edit. 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

Policy-based firewall must be available on the switch. 

Warnings 

% Policy xxx does not exist (when editing or deleting or assigning) 
% Policy xxx already exists (when adding) 

% Policy xxx is in use and can not be deleted 

Related commands 

firewall 
filter 
policy nat 

Example 

CES (config) ipolicy security add testl 

CES (config-fwpolicy) #exit 

CES (config) ipolicy security assign test2 

CES (config) fpolicy security test3 

CES (config-fwpolicy) #exit 

CES (config) #no policy security test4 
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rule (Firewall Policy Configuration) 

This command adds or edits the specified firewall policy rule to the current 
firewall policy in the Contivity Stateful Firewall. When you add a rule, the 
firewall always adds the rule to the top of the rule group. You cannot use the CLI 
to reorder rules within a group; you must cut and paste them in the order you want 
to use. For further information on the rule parameters, see Chapter 2, 
“Configuring the Firewall.” 

Syntax 

rule {default I override I {interface interface-name {source I 
destination}} {add | rule-number) [src-interface interface-name] 
[dest-interface interface-name ] [src-address address] [dest-address 
address] [service service-name] [action action-name ] [log 
log-level ] [remark text] 

no rule {default I override I {interface interface-name {source I 
destination}} number 

Parameters 

default Specifies that the rule is a default rule, 

override Specifies that the rule is an override rule, 

interface Specifies that the rule is an interface rule, 

source Specifies that the interface rule is a source interface rule, 

destination Specifies that the interface rule is a destination interface rule, 

add Specifies that the policy rule should be created. 

rule-number Rule number in this firewall policy rule set. 
src-interf aceSettings are for the source interface. Not recognized for source 
interface rules. 

dest-interf aceSettings arc for the destination interface. Not recognized for 
destination interface rules. 

interface-name The interface-name for override rules can be trusted, 
untrusted, any or tunnehany. 

For a source interface rule, the interface-name of destination 
interface can be any, an end user interface (TO - Tn), a branch 
office interface (Tx, - Ty), a physical interface (EO - En), 
trusted, untrusted, tunnehany or system-ip. For a destination 
interface rule, the interface-name of source interface can be 
any, trusted, untrusted, tunnehany. 
src-address Settings arc for the source address, 
dest-address Settings are for the destination address. 
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address IP address for the source or destination. Can be a dotted IP 

address, a host name, an IP address and mask which specifies a 
subnet, or any. 

service Set the service for the current firewall policy rule. 

service -name Name of the service. Can be any or a predefined protocols such 
as FTP, HTTP, Telnet, SMTP, etc. It can also be a protocol (TCP 
or UDP) followed by a port number. 

Set the action for the current firewall policy rule. 

Name of the action. Can be accept, drop or reject. 

Event log. 

Can be one of none, brief, detail, trap. Trap is the same as 
detail, but also enables SNMP traps on a rule match. 

The comments users can put in. 

The content of the remark. If the value for the text parameter 
contains spaces, it may be enclosed in double quotes so that it 
has a single parameter value. 


action 

action-name 

log 

log-level 

remark 

text 


Default 

For newly created rules, the default action is reject. The firewall determines the 
default interface by the type of rule group to which it belongs. In interface rule set, 
either source interface or destination interface has a default value that you cannot 
change. The default settings of other fields are Any. 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

% Rule xxx does not exist 
% Invalid interface name 
% Invalid network address 
% Invalid service name 
% Invalid number of arguments 

Related commands 

policy 

Example 

CES (config-policy) #rule override 3 src-interface untrusted 
src-address 192.32.0.0 dst-address 192.32.240.11 service ftp action 
accept log full remark "This is for test" 

CES (config-policy) #rule interface "Tunnel:/Base/myTunnel" source 
add dst-address 192.32.240.11 service ftp action accept log full 
remark "This is for test" 

CES (config-policy) #rule interface "Tunnel:/Base/myTunnel" source 
3 dst-address 192.32.240.12 service ftp action accept log brief 

CES (config-policy) #rule default 3 src-address 192.32.0.0 service 
ftp action accept 

CES (config-policy) Ino rule interface "Tunnel:/Base/myTunnel" 3 
CES (config-policy) Ino rule override 3 
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rule (NAT Policy Configuration) 

This command edits or adds the specified NAT rule to the current NAT set. 

Syntax 

rule [add] rule-number {static internal start-address end-address 
external start-address | pooled internal start-address end-address 
external start-address end-address I port internal start-address 
end-address external start-address } 

no rule rule-name 

Parameters 

add Specifies that the NAT rule should be created. 

rule-number Number of the NAT rule. This number appeal's when you use 
the show rules all command, which displays the list of 
NAT rules indexed by numbers, 
static Static address translation rules 

internal Addresses are used within the intranet. 

start-addressFirst available address that is used within the intranet address 
pool or used for the public network. 

end-address The last available address that is used within the intranet 
address pool or used for the public network, 
external Addresses are used for the public network (Internet), 
pooled Settings are for the dynamic pooled NAT. 

port Settings are for the dynamic port NAT. 

Default 

None 

Command mode 

NAT policy configuration 

Next command mode 

NAT policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

% Invalid address 

% NAT rule xxr does not exist (when editing or deleting) 

% NAT rule xxx already exists (when adding) 

Related commands 

nat 

Example 

CES (config-nat) frule testrulel static internal 10.0.10.111 
10.0.10.200 external 202.96.3.44 

CES (config-nat) frule add testrule2 pooled internal 10.0.10.111 
10.0.10.200 external 202.96.3.0 202.96.3.255 

CES (config-nat) frule testrule3 port internal 10.0.10.111 
10.0.10.200 external 202.96.3.44 

CES (config-nat) fno rule testrule 
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service 

This command adds, edits, or deletes the specific service or service group for the 
user scope in the policy-based firewall. Services of master scope are created 
dynamically and you cannot edit or delete them. 

Syntax 

service [add] name 

{tcp {port-num num | port-range numl num2 } | 

udp {port-num num | port-range numl num2} | 

ip protocol-num num | 
icmp {type-num num | any} 

code-num num | any} | 
code-range numl num2 
I } 

group} 

no service name 

Parameters 

add Creates a new service or group that can be assigned to policy 

rules. 

name Name of service or service group for firewall policy to edit. 

You cannot create any name that already exists, 
tcp Service type TCP. 

udp Service type UDP. 

ip Service type IP. 

icmp Service type ICMP, 

port -num Number of port. 

protocol-numNumber of protocol, 
type-num ICMP type number, 

code-num ICMP code number. 

num Number used for tcp/udp port-num, tcp/udp port-range, ip 

protocol-num, icmp type-num, icmp code-num, icmp 
code-range. 

code-range Range of ICMP code numbers. 

group Creates a new service group with the specific name. It only 

works with key word add. 
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Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 

Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 


Warnings 

% Service xxx does not exist (when editing or deleting) 
% Service xxx already exists (when adding) 


Related commands 

service-group 

netob 


Example 


CES 

CES 

CES 

CES 

CES 

CES 

CES 


(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 
(config-fwpolicy) 


(service add testl tcp 111 

(service add test2 icmp type 23 code 45 

(service add test3 udp 23 45 

(service add test4 ip 10 

(service add testgroupl group 

(service test2 icmp type 23 code 45 50 

(no service test3 
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service-group 

This command adds, edits, or deletes the specific service group in the Contivity 
Stateful Firewall. Service groups of master scope arc created dynamically and you 
cannot edit or delete them. 

Syntax 

service-group service-group-name {add I drop} service-names 

Parameters 

service-group-name Name of service group for which you can edit firewall policy, 
add Adds services to the specific group. Service groups of master 

scope arc created dynamically and cannot be edited, 
drop Removes services from specific group. Service groups of 

master scope arc created dynamically and cannot be edited. 
service-names Names of the services. Can be one or more. 

Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

% Service xxx is read-only 
% Service .wee does not exist 
% Service xxx is not a group 

% Service xxx already exists in group yyy (when adding a service to a group) 

% Service xxx does not exist in group yyy (when dropping a service from a group) 

Related commands 

netobj-group 
service 

Example 

CES (config-fwpolicy) #service-group testgroupl add testl test2 
CES (config-fwpolicy) #service-group testgroupl drop testl 
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show firewall 


This command displays all available firewall types or the firewall that is currently 
in use. It can also display firewall logging information. 


Syntax 

show firewall {all | enabled | logging | anti-spoof I tunnel-filter 
connection-number} 


Parameters 

all Displays all available firewall types, which include Check 

Point Firewall, Policy-based Firewall, Contivity Stateful 
Firewall, or Policy and Contivity Stateful Firewall, which 
co-exist. 

enabled Displays the firewall type that is turned on, if any. 

logging Displays the firewall logging types (traffic, policy manager, 

firewall, NAT or debug) that are disabled or enabled, 
anti-spoof Displays the enabled or disabled status of anti-spoofing, 
tunnel-f ilterDisplays the enabled or disabled status of the tunnel filters, 
connect ion-numberDisplays the currently specified connection number and 
the minimum/maximum number on this switch. 


Default 

None 

Command mode 

Global configuration 

Next command mode 

Global configuration 

Required privileges 

System Management - Manage 
User Management - None 
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Prerequisites 

None 

Warnings 

None 

Related commands 

policy security 


Example 


CES 

(config) 

#show 

firewall 

all 

CES 

(config) 

#show 

firewall 

enabled 

CES 

(config) 

#show 

firewall 

logging 

CES 

(config) 

#show 

firewall 

anti-spoof 

CES 

(config) 

#show 

firewall 

tunnel-filter 

CES 

(config) 

#show 

firewall 

connection-number 
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show interfaces 

This command displays the available interfaces that you can apply to a policy or a 
policy rule. 

Syntax 

show interfaces [ tunnel I bo-tunnel I | physical I all ] 

Parameters 

tunnel 

bo-tunnel 

physical 
all 

Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 


Displays a list of tunnel interface which arc available on the 
switch. 

Displays a list of branch office tunnel interface which arc 
available on the switch. 

Displays all of the available physical interfaces on the switch. 
Displays all of the available interfaces on the switch. 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

None 

Related commands 

show netobjs 
show services 

Example 

CES (config-fwpolicy) #show interfaces 
CES (config-fwpolicy) #show interfaces 
CES (config-fwpolicy) #show interfaces 
CES (config-fwpolicy) #show interfaces 


all 

tunnel 

bo-tunnel 
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show license 

This command displays the status of paid features on the CES. 

Syntax 

show license 

Parameters 

None 

Default 

None 

Command mode 

Global Configuration 

Next command mode 

Global Configuration 

Required Privileges 

System Management - Manage 
User Management - None 
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Prerequisites 

None 

Warnings 

None 

Related commands 

license 
no license 

Example 

CES (config-natpolicy) #show license 
Advanced Routing: Enabled 
Contivity Stateful Firewall: Enabled 

Comments 

None 
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show netobjs 

This command displays all of the available netobjs and netobj groups that you can 
use for firewall policies. 

Syntax 

show netobjs [ netobj-type] 

Parameters 

netobj-type Restricts display of netobjs to specified type. Valid types are 

host, network, ip_range, and group. 

Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 


Warnings 

None 


Related commands 

show netobjs 


Example 


CES (config-fwpolicy) 
CES (config-fwpolicy) 
CES (config-fwpolicy) 
CES (config-fwpolicy) 


#show netobjs 
#show netobjs 
#show netobjs 
#show netobjs 


host 

network 

ip_range 
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show policy nat 

This command displays all available NAT sets on the switch. If you specify 
keyword interface, it displays interface NAT information. 

Syntax 

show policy nat [interface] 

Parameters 

nat Displays a list of NAT sets that arc available on the switch, 

interface Displays the status of interface NAT (on or off) and the NAT set 
assigned to it. 


Default 

None 

Command mode 

Global configuration 

Next command mode 

Global configuration 

Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 
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Warnings 

None 

Related commands 

show policy 
show firewall 

Example 

CES (config) #show policy nat 

CES (config) #show policy nat interface 
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show policy security 

This command displays all of the available firewall policies or the policy currently 
in use. 

Syntax 

show policy security {all | enabled} 

Parameters 

security Specifies firewall policies. 

all Displays the names of all of the available policies, 

enabled Displays the policy that is currently in use. 

Default 

None 

Command mode 

Global configuration 

Next command mode 

Global configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

none 

Related commands 

show firewall 

Example 

CES(config)#show policy security all 
CES(config)#show policy security enabled 
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show rules (Firewall Policy Configuration) 

This command displays all of the available rules for the current override, 
interface, or default rule mode. The displayed rules are ordered by number. 

Syntax 

show rules {default I override I interface interface-name} 

Parameters 

all Displays all of the rules in the policy, 

implied Displays read-only implied rules. 

post-impliedDisplays read-only post-implied rules, 
default Displays all rules in the default rule set. 

override Displays all rules in the override rule set. 

interface Displays the rules in the interface rule set with either a source 

or destination interface of interface-name, 
interface-name Specifies the name of the interface to display rules for in the 
interface rule set. 


Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 


Warnings 

None 


Related commands 

show policy 


Example 


CES (config-fwpolicy) 
CES (config-fwpolicy) 
CES (config-fwpolicy) 
CES (config-fwpolicy) 
CES (config-fwpolicy) 
CES (config-fwpolicy) 


#show rules 
#show rules 
#show rules 
#show rules 
#show rules 
#show rules 


default 
override 
interface LAN 
all 

implied 

post-implied 
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show rules (NAT Policy Configuration) 

This command displays available NAT rules. 

Syntax 

show rules {all I rule-number } 

Parameters 

all Displays all of the NAT rules that are available in the switch. 

rule-number Displays the NAT rule with the specific number. This number 

appeal's when you use the show rules all command, 
which displays the list of NAT rules indexed by numbers. 

Default 

None 

Command mode 

NAT policy configuration 

Next command mode 

NAT policy configuration 

Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 
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Warnings 

% NAT rule xxx does not exist. 

Related commands 

show policy 

Example 

CES (config-natpolicy) fshow rules all 
CES (config-natpolicy) Ishow rules 2 
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show services 

This command displays all of the available services and service groups you can 
use for firewall policies in the Contivity Stateful Firewall. 

Syntax 

show services [ service-type] 

Parameters 

service-type Restricts display to show only services of specified type. Valid 
types are TCP, UDP , ICMP , IP, and group. 

Default 

None 

Command mode 

Firewall policy configuration 

Next command mode 

Firewall policy configuration 
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Required privileges 

System Management - Manage 
User Management - None 

Prerequisites 

None 

Warnings 

None 

Related commands 

show netobjs 

Example 

CES (config-fwpolicy) #show services 

CES (config-fwpolicy) #show services ip 

CES (config-fwpolicy) #show services tcp 
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Appendix A 
Error Messages 


This appendix provides a listing of possible syslog messages that the Contivity 
Stateful Firewall might write to a remote system. Each message is followed by a 
description and the recommended corrective action, if any. 


Firewall messages 

An error occurred while parsing the policy 

Description: The policy that you arc attempting to view or edit cannot be opened 
because it does not conform to the required format. This may be caused by an 
error in the LDAP database or a problem with the connection to the switch. 

Action: 

1 Close the Contivity Stateful Firewall Manager. 

2 Close all instances of the browser used to load the Contivity Stateful Firewall 
Manager. 

3 Be sure that the connection to the switch is established. 

4 Be sure that the LDAP server containing the policy is properly configured and 
is active. 

5 Restart the browser and navigate to the System—>Firewall screen. 

6 Reload the Contivity Stateful Firewall Manager. 
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An error occurred while communicating with the switch 

Description: The Contivity Stateful Firewall Manager encountered an error while 
retrieving the data from the switch. This may have been caused by a network error 
or the switch may have stopped responding. 

Action: 

1 Close the Contivity Stateful Firewall Manager. 

2 Close all instances of the browser used to load the Contivity Stateful Firewall 
Manager. 

3 Be sure that the connection to the switch is established. 

4 Restart the browser and navigate to the System—>Firewall screen. 

5 Reload the Contivity Stateful Firewall Manager. 

Authorization failed. Please try again. 

Description: This error occurs when the wrong authentication credentials arc 
entered. The user is re-prompted for credentials until they arc either correct or the 
user clicks Cancel. 

Action: No action required. 

Unable to communicate with the switch 

Description: The Contivity Stateful Firewall Manager cannot establish a 
connection to the switch. This may have been caused by a network error or the 
switch may not be responding to requests. 

Action: 

1 Close the Contivity Stateful Firewall Manager. 

2 Close all instances of the browser used to load the Contivity Stateful Firewall 
Manager. 

3 Be sure that the connection to the switch is established. 

4 Restart the browser and navigate to the System—>Firewall screen. 
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5 Reload the Contivity Stateful Firewall Manager. 

The contents of the database may have changed... 

Description: This error occurred because the LDAP database has changed in such 
a way that the current data in the Contivity Stateful Firewall Manager might not 
be valid. This error is encountered when the: 

• Internal LDAP server has been shut down and restarted 

• External LDAP server in use is switched to the internal LDAP server 

• Internal LDAP server in use is switched to an external LDAP server 

• External LDAP server’s port or IP address changes 

Action: 

To ensure that the most current data is loaded: 

1 Close the current policy, if opened. Saving is not permitted until this error is 
remedied. 

2 From the policy selection screen, select All from the Refresh menu. 

System files were not loaded properly ... 

Description: This error occurred because the files necessary to load the Contivity 
Stateful Firewall Manager were either not downloaded from the switch properly 
or were not initialized properly. 

Action: 

If this error is encountered: 

1 Close the Contivity Stateful Firewall Manager. 

2 Close all instances of the browser used to load the Contivity Stateful Firewall 
Manager. 

3 Restart the browser and navigate to the System—>Firewall screen. 

4 Reload the Contivity Stateful Firewall Manager. 


Managing the Contivity Stateful Firewall 



124 Appendix A Error Messages 


If the error continues to occur or if the Contivity Stateful Firewall Manager is 
being accessed through a user tunnel: 

1 Open the Java Plug-in Properties. 

2 On Windows systems, navigate to Start—>Settings—>Control Panel—>Java 
Plug-in. For all other systems, refer to the Java Plug-in documentation. 

3 Be sure that the check box for Cache JARs in Memory is deselected. 

4 Click on Apply and close the Java Plug-in Properties window. 

5 Close the Contivity Stateful Firewall Manager. 

6 Close all instances of the browser used to load the Contivity Stateful Firewall 
Manager. 

7 Restart the browser and navigate to the System—^Firewall screen. 

8 Reload the Contivity Stateful Firewall Manager. 
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